We know IE!

Hi everyone!

We’re seeing another emerging issue around Internet Explorer that we wanted to make you aware of…

If you are seeing slow performance within Internet Explorer 8 (opening new tabs, for example), after just recently installing the latest version of the Skype application (v4.1), this could be the cause.  We believe the reason behind this performance issue is an IE add-on that gets installed by the latest revision of the Skype software.

To resolve this issue quickly, please open Managed Add-Ons and disable the installed Skype IE add-on:

Please note:  So far, we are only seeing this issue with this specific version of Skype in conjunction with Internet Explorer 8.

Regards,

The IE Support Team

Hi everyone!

IE Support is seeing a huge influx of issues with weird IE behaviors and failures coming in over the last two days.  We are seeing IE crashes, IE simply unloading from memory, and even script errors on web application that have been working in the past without issue.  Currently, we are only seeing these errors with Internet Explorer 7 and 8.

The issue appears to be related to a recent signature update to McAfee’s Host Intrusion Prevention software that was released on July 14, 2009.

If you are seeing these kinds of behaviors with Internet Explorer since in or around the July 14th, 2009, we recommend that you review the details outlined in this McAfee KB article:

https://kc.mcafee.com/corporate/index?page=content&id=KB66316

Our understanding is that a signature update has already been released to resolve this issue.  However, if you need further assistance from McAfee technical support in getting the signature update, you can contact them using the information located here:

http://www.mcafee.com/us/about/contact/index.html

More information:  You can continue to browse in a limited capacity by starting Internet Explorer in No Add Ons mode by using the shortcut located under All Programs | Accessories | System Tools until you update the affected signature file:

There is also a command line option you can use as well.  From a command line window you can using the below option:

Once you hit enter, IE will load with no Add Ons within the IE process:

Regards,

The IE Support Team

Just in!

A cumulative release is now available for the vulnerability outlined in KB972890.  Details and downloads can be found here:

http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx

If you have any questions regarding what do you if you already have a workaround in place, please review the FAQ for MS09-032 using the link above.

Please note: 

The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

Regards,

The IE Support Team

Hi everyone!

Axel here from the IE Team with a quick Group Policy ADM template to help implement workaround described in security advisory 973472. I am also including the .reg file and .adm templates for both x86 and x64 versions.

Please note:  This is an “as is” template, so feel free to tweak it as needed.

Important: This policy requires that you disable filtering in the group policy editor. See steps below on how to set this up.

How to load the Custom ADM Template?

1. To start Group Policy, click Start and then click Run. In the Open box, type GPedit.msc or GPMC.msc if from a Domain policy and then click OK.
2. Select Administrative Templates from the Computer Configuration branch.
3. Right-click the Administrative Templates branch, and then select All Tasks.
4. Select Add/Remove Templates.
5. Click Add.
6. Load the ADM templates.

Please note: Windows 2003, Windows XP will display the policy under: Administrative Templates > New Policy

Here is how you disable the Group policy filer:

1. Right click on the Policy and select View > detail > Filtering
2. Remove the check mark from the check box next to "Only show policy settings that can be fully managed"
3. You should see the template now.

x86 ADM Template

x64 ADM Template

x64 Registry key

x86 Registry key

We also have the above samples available to download here.

Regards,

The IE Support Team

Hi everyone!

Veena here to discuss an issue that might affect developers using Visual Studio 2005 to perform client side script debugging.

After you install Internet Explorer 8, you may no longer be able to perform client side script debugging using Visual Studio 2005. This issue is discussed in http://blogs.msdn.com/greggm/archive/2009/04/01/script-debugging-broken-in-vs-2005-after-installing-ie8.aspx.

Typically, setting the registry value : TabProcGrowth to a DWORD value of 0 is sufficient to resolve this problem.  However, if you are using Windows Vista, you need to follow ALL of the steps below to resolve this issue:

1) Install VS 2005 update for Vista from http://www.microsoft.com/downloads/details.aspx?FamilyID=90e2942d-3ad1-4873-a2ee-4acc0aace5b6&displaylang=en.

2) Install Visual Web Developer express from http://www.microsoft.com/express/vwd/Default.aspx.  This is to update PDM.DLL to the required version.

Please note:  You don't need to actually use it and can remove it after it is installed. Visual Web Developer express is the free Express SKU for VS2008.

3) Set the registry value : TabProcGrowth to a DWORD value of 0 under HKCU\Software\Microsoft\Internet Explorer\Main.

4) Run Visual Studio 2005 with elevated permissions.

Please note: This is a problem in Visual Studio 2005 and doesn’t happen with Visual Studio 2008.

Regards,

The IE Support Team

Hi everyone!

Here’s a quick blog to help users and administrators by-pass that initial web page asking you to save your settings after IE7 is installed…

After installing Internet Explorer 7 all users are supposed to save their settings, the IE automatically redirects the page to "http://go.microsoft.com/fwlink/?LinkId=74005" which redirects to "http://runonce.msn.com/runonce2.aspx" till the user saves the settings to set their preferences such as the default search engine, whether turn on automatic Phishing Filter, language settings and so on.

If the customer does not want to be auto-directed to this web page, then they need to follow the below steps.  Two values should be added/modified in the registry, so that IE 7 will go to the home page instead of the external link above:

1. Open the regedit.exe applet.
2. Go to registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
3. Right-click this key and select New -> DWORD Value.
4. On the right pane, create the new value to RunOnceComplete.
5. Right-click RunOnceComplete and click “Modify” and set the value data to 1.
6. Repeat Step 3 to Step 5 to create/modify the value name RunOnceHasShown and set the value data to 1.
7. Restart the IE 7 to see if it still visits the Save settings web site.

If you are familiar with using .REG files, then you can use what’s below to create one and use:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"RunOnceComplete"=dword:00000001
"RunOnceHasShown"=dword:00000001

Please note: IE7 will query the two values RunOnceComplete and RunOnceHasShown every time it starts. If these values have been set as depicted above, IE will visit the home page set in the IE control panel.

For terminal server, you can set a log-on script, so that these two values will be added and set automatically when users connect to the server.

Regards,

The IE Support Team

Hi everyone!

We’ve had some requests come in asking for an ADM template that would give Administrators the option to Enable or Disable the “Check for publisher's certificate revocation” Internet Explorer option.  In any event, here it is.  Simply cut/paste the content below into a file with .ADM extension and then add custom template manually:

CLASS USER
CATEGORY "Windows Components"
CATEGORY "Internet Explorer"
CATEGORY "Internet Control Panel"
CATEGORY "Advanced Page"
POLICY "Check for publisher's certificate revocation"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
EXPLAIN "Custom ADM template to Enable/Disable the IE advanced option, “Check for publisher's certificate revocation”"
PART State DROPDOWNLIST REQUIRED
VALUENAME "State"
ITEMLIST
NAME Enabled VALUE NUMERIC 146432
NAME Disabled VALUE NUMERIC 146944
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
END CATEGORY
END CATEGORY

Please note:  You will need to disable the Group Policy filter option, “Only show policy settings that can be fully managed”, before the custom ADM template policy will be displayed:

Well, that’s all for now!

Regards,

The IE Support Team

Hey folks!

We’ve received many many requests asking if the workaround mentioned in KB972890 can be implemented via Group Policy.  To that end, we’ve put together an ADM template to help Domain Admins roll this out through Group Policy.  It’s an “as is” template, so feel free to tweak it as needed.

Important: This policy requires that you disable filtering in the group policy editor. See steps below on how to set this up.

How to load the Custom ADM Template?

1. To start Group Policy, click Start and then click Run. In the Open box, type GPEdit.msc or GPMC.msc if from a Domain policy and then click OK.
2. Select Administrative Templates from the Computer Configuration branch.
3. Right-click the Administrative Templates branch, and then select All Tasks.
4. Select Add/Remove Templates.
5. Click Add.
6. Load the ADM templates.
   

NOTE: Windows 2003, Windows XP will display the policy under: Administrative Templates > New Polcy

Here is how you disable the Group policy filer:

1. Right click on the Policy and select View > detail > Filtering
2. Remove the checkmark from the checkbox next to "Only show policy settings that can be fully managed"
3. You should see the template now.

Please see the attached file below that contains the ADM templates.

Note:

We have updated the template base on some great feedback from our readers. When the policy is enable will set the value to hex 1024  and when disable to 0.

In the Zip file [ADM_KB972890_v_07-09-09.zip], you should find:

1. The IE 32 bit custom adm version: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility]
2. The IE Wow6432Node (x64) custom adm version: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility
3. The registry export (.reg) export for both IE 32 bit and x64 IE version.
4. Readme.txt with our Registry import disclaimer.

Related Article:

• FixIT available for the vulnerability in the Microsoft Video ActiveX Control, Microsoft Security Advisory (972890)

Regards,

The IE Support Team

Hi Everyone!

Just wanted to let everyone know that a FixIT is currently available to help users protect themselves against this latest ActiveX Control vulnerability outlined here:  http://www.microsoft.com/technet/security/advisory/972890.mspx

The FixIT, when run, will automatically disable the Microsoft Video ActiveX Control.  More information, as well as the FixIT files themselves, can be found here:  http://support.microsoft.com/kb/972890

Related Article:

• Quick and dirty Group Policy ADM template to implement the workaround from KB972890
• How can I run a “Fix IT” silently?

Regards,

The IE Support Team

Hi Everyone!

Axel again, from the IE Escalation team, with another Group Policy pointer.

Recently, I was asked to assist in disabling DEP (Data Execution Prevention) for Internet Explorer. This can be done from Group.  The policy will allow you to turn off the Data Execution Prevention feature that is now on by default when you install Internet Explorer 8. There are good reasons why this is turned on by default and you should read about it here before making a conscious decision to turn it off with this policy.

Policy description:  This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008, Windows Vista SP1 and Windows XP SP3.

If you enable this policy setting, Internet Explorer will not opt-in to Data Execution Prevention on platforms that support the SetProcessDEPPolicy API.

If you disable or do not configure this policy, Internet Explorer will use the SetProcessDEPPolicy API to turn on Data Execution Prevention protection on platforms that support the API.

This policy has no effect if Windows has been configured to enable Data Execution Prevention.

Location: Computer Configuration > Internet Explorer > Security Features > Turn off Data Execution Prevention

Screenshot of the policy:

More information:

1. IE8 Security Part I: DEP/NX Memory Protection: http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx
2. How do I improve my website and add-ons?: http://www.microsoft.com/windows/internet-explorer/readiness/developers-existing.aspx

Regards,

The IE Support Team

Hi Everyone!

Axel Rivera again from the IE Escalation team with another IE Enhanced security topic for your viewing pleasure!

:-)

In this Blog I would like to share a batch file I use to help disable IE Enhanced Security silently on Windows 2003 servers.  The challenge is that if you have multiple servers, removing it from server console is not practical and can require tremendous administrative overhead.

Please note:  This is the the same task can be achieved from the Windows Add Removed Programs User Interface.

Cut and paste the lines below into notepad and save the file as "DisableIEES.bat".  This will create a simple batch which can be used to disable IEES (IE Enhanced Security):

Here is where you can set the login script in a policy:

> From Start\run type: gpedit.msc

> From User Configuration

   > Windows Settings

      > Scripts(logon\logoff)

         > Select Logon

            > Click on the Add... btn

            > Click on the Browse... bnt

            > Navigate to the directory where you have the file I sent you (EXE or BAT)

               [You can copy the file to the default Logon script directory: %windir%\system32\grouppolicy\user\scripts\logon]

            > Apply and OK btn to complete

> Close GPEdit.msc

> Start\run type: gpupdate /force to update the policy

> Login with a profile you know have the problem and see if this takes care of the problem.

More information:

There are two parts to turning off IE Enhanced Security.

We need to first identify the registry keys used to change the IE Enhanced Configuration Settings.

Here are the keys as a .reg export format:

Here is the command I use to turn off IE Maintenance using the IEHarden.inf file:

After you execute the batch file from an existing user profile, you should consider logging out and login back in to make sure the changes take effect.  New users should now have IE Enhanced Security disabled.

Regards,

The IE Support Team

Hi everyone!

Axel here from the IE Escalation team with a scenario related to  Security Warning - Unknown Publisher pop-up when executing a file that came from a non trusted source.

I am sharing this out because the immediate assumption is that by just adding the server name to the Local or Trusted Site zone will allow the file to be executed, which is not accurate. Once the file comes down from the untrusted source and with the Block file stream (see Fig. 1.1), until you remove the attribute you wont be able to run it without first getting the warning mentioned in this blog, see fig. 1.0.

Fig. 1.0 [Screenshot of the Warning with the checkbox “Always ask before opening this file” option]

Fig. 1.1 [Screenshot of the executable properties, showing the Security Unblock option]

Here is what it may look like once you have unchecked the option next to “Always ask before opening this file”.

Fig. 1.2 [Here is what you will still get, even after you have removed the checkbox]

Once you add the unc path to either the Local or Trusted Sites Zone, you will no longer get the warning.

In the above example, we can see that the application did not have a digital signature that verifies its publisher, so we will have to do more work to bypass the warning. You can either have the executable signed using signcode.exe or use the Build in Windows Attachment Manager Policy.

The reason why you get the warning in the first place is because in Windows XP/SP2 and Windows 2003/SP1 we have introduced a new feature called Attachment Manager. This feature was added to help protect your computer from unsafe file attachments. This include accessing files across your network (e.g \\servername\share), files that you might receive with an e-mail message and from unsafe files that you might save from the Internet.

If the Attachment Manager identifies an attachment that might be unsafe, the Attachment Manager prevents you from opening the file, or it warns you before you open the file.

Here are the steps to bypass the warning using Attachment Manager Group Policy. I am also including the registry key modified by the policy.

From Start Run type: gpedit.msc

From User Configuration> Administrative Template> Windows Components> Attachment Manager

Set the following:

Configuration Settings:

> Default risk level for file attachments: Set it to Enabled and Set the default risk level to[Low Risk]

> Inclusion list for low file types: Set it to Enabled and add the file extension [.exe;.vbs;.msi]

> Do not preserve zone information in file attachments: Set it to Enabled.

Close Gpedit.msc and run gpupdate /force

Screenshot of the policy:

Final Step:

> Add the UNC to Local Intranet or Trusted Sites

> Log off and log back in

> Test accessing the UNC share

Registry keys:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

"LowRiskFileTypes"=".exe;.vbs;.msi"

"DefaultFileTypeRisk"=dword:00001808

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]

"SaveZoneInformation"=dword:00000001

Article below explains everything about Attachment Management.

• 883260  Description of how the Attachment Manager works in Windows XP Service Pack 2        http://support.microsoft.com/default.aspx?scid=kb;EN-US;883260
• How would you sign your file. You could use signcode.exe from Microsoft. Here is also an article:
• Steps for signing a .cab file: http://support.microsoft.com/default.aspx?scid=kb;en-us;247257

Regards,

The IE Support Team

Hi Everyone!

It’s Bac again with another solution for you…

Just in case you are running NGINX Web Server and wondering how to add the ‘X-UA-Compatible’ HTTP Header to the web server, here are the steps:

1) Open the  nginx.conf file in WordPad from nginx\conf folder

2) Add the line in red below to the server{..} section and save

…

server {

listen 80;

server_name localhost;

#charset koi8-r;

add_header 'X-UA-Compatible' 'IE=EmulateIE7';

#access_log logs/host.access.log main;

location / {…

3) Stop and restart NGINX server

Please note:  the above steps have been tested on version 0.6.

For information on how to add this Header to IIS Server see http://msdn.microsoft.com/en-us/library/cc817572.aspx and Apache Server see http://msdn.microsoft.com/en-us/library/cc817573.aspx

Regards,

The IE Support Team

Hi everyone!

Well, we’ve come across another behavior that some of you are running into so we thought it was time to do a quick write up on the behavior and why it has changed.  The behavior is a little complicated if you are real savvy with how IE makes connections using the HTTP protocol.  Hopefully, we can give you an overview of the behavior that won’t bore you to tears!

:)

Starting with IE7, a behavior change has been made in how IE handles Server certain response codes to web browser connections that originate as a CONNECT request.  Specifically, if a CONNECT request is made by IE to a Web Server and it receives a Server response to that CONNECT request with something other than 200, IE could reject that response as invalid (ERROR_HTTP_INVALID_SERVER_RESPONSE). 

Below is an example of what you might see when connecting to a secure web site with IE using an initial CONNECT with a Proxy Server in between the IE client machine and the Web Server you are connecting to:

CONNECT www.MyTestSSLSite.com:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: www.MyTestSSLSite.com
Pragma: no-cache

HTTP/1.1 200 Connection established
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Via: 1.1 MyTestProxyServer

This is a working example because the Server response to the CONNECT request is a level 200 response code which means the CONNECT request by the IE client has been honored.

Of course, this isn’t the scenario in where IE fails to honor the Server response.  Failure cases we see are when a Proxy Server returns a Server response code other than the expected 200, as seen above.  This can happen for several reasons and is often done purposely by Proxy Server.  The below response, for example, will indeed be rejected by IE is connecting to a Web Server, through a proxy, where a CONNECT request would be used to make the initial secure HTTP connection:

CONNECT www.MyTestSSLSite.com:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: www.MyTestSSLSite.com
Pragma: no-cache

HTTP/1.1 302 Redirected
Date: Wed, 17 June 2009 14:21:38 GMT
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Location: http://10.1.0.5/MyTestRedirectPage.html

As you can see in this second example above, the Server response code is now a 302 instead of the 200 expected by IE.  This Server response is telling the IE client to redirect it’s request to a different site than it made the initial CONNECT request to.  Allowing this Server response to be honored by the IE client would be risky because the Proxy Server could return content that IE would interpret as being from the origin server, which Microsoft sees as an unsecure scenario and so honoring the 302 response in this scenario is no longer allowed. This change in behavior doesn’t mean that all Server responses which are not 200 are rejected.  Support for 400-level response codes are still valid and honored in the above scenario.

Please note:  You can see HTTP protocol traffic  using an HTTP tracing tool such as Fiddler or a network analyzer tool such as Microsoft Network Monitor.  Of course the CONNECT request is setting up a secure HTTP connection and so further traffic will be encrypted.  A debug version of wininet.dll can allow you to view encrypted HTTP traffic via the wininet log it can generate.

Well hopefully this blog was more entertaining that fingernail scratches on a chalkboard – until next time!

Regards,

The IE Support Team

Hi everyone!

We’ve got an emerging issue showing up in our support channels in where IE printing functionality (printing, print preview) fails on the Windows XP operating system.  This issue is specific to IE7 and IE8 and we have only reproduced the issue with service pack 3 installed, thus far, but we certainly aren't ruling out other platforms that can install and run either of these revisions of IE.

The behavior is easily recognizable as you will see a blank screen within the print preview dialog instead of the page to print out.  Furthermore, if you try and actually print the page, nothing happens and the page does not print out.

Please note:  Some user have noted seeing this behavior after installing the latest IE cumulative update, KB969897.

In troubleshooting this behavior, we have found that uninstalling the Microsoft Software Inventory Analyzer software, via Add or Remove Programs option in Control panel, resolves these printing functionality issues.  This is our recommendation.

Deeper troubleshooting of this issue indicates a registry key added by the Microsoft Software Inventory Analyzer, may be the root cause of the failure.  The registry key in question is seen below:

[HKEY_CLASSES_ROOT\.dlg]

@="MsiaUtils"
"Content Type"="application/msia-dlg"

Removal of this registry key also seems to resolve the printing functionality issues within Internet Explorer.  However, if you are not proficient at using the registry editor tool, we do not suggest using this method but instead suggest that you simply uninstall the Microsoft Software Inventory Analyzer software.

You can also remove the extension type via Explorer:

1.  From the Windows desktop, double-click on My Computer.
2.  Click on Tools and then Folder Options from the menu.
3.  Click on the File Types tab within the Folder Options dialog.
4.  Within the Registered file types listing, find the DLG extension.
5.  Highlight and then click the Delete button and then choose Yes to remove.

Please note:  This tool is not supported by Product Support Services.

We have some new information coming in that the inclusion of this key seems to be effecting the rendering of text inside CSS styled textboxes.  Applications, for example WordPress, may be negatively affected as well.

UPDATE! 

We’ve been working directly with the MSIA team and they have informed us that they will be making a code change to the product to help resolve this issue.  More detail on the availability of this update can be found here.  The MSIA teams also suggests that instead of just removing the above values from the registry, that users install, use, and then uninstall the MSIA tool to mitigate the app-compat issue with IE.  This is because removal of the registry information can cause certain areas of the MSIA tool to fail, such as the feedback and licensing display forms.

Regards,

The IE Support Team